This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

E-mail encryption
#1
OK, any chance people can indulge my paranoia here???

With all the Edward Snowden news and the revelations about Vodafone granting the Irish authorities unfettered access to data carried on their networks, are people concerned about their personal e-mails?  GSOC seem to be looking to access to the e-mail accounts of Gardai they're investigating.  The Journal - Calgary Herald  

Sending an unencrypted e-mail has been compared to writing a postcard, any server that the message passes through can read exactly what it says.  Encrypting your e-mail is like sealing it in an envelope.  Even if I'm just sharing a shopping list with Mrs Echo, I don't want everybody to be able to read it!  It doesn't matter what information you're sending, it's really the principle.  However if you are sending information that shouldn't be in the public domain (ie work-related) then absolutely it MUST be encrypted.  

The mail is stored encrypted in your inbox or folders, also sent mail is encrypted in your sent folder.  You computer needs to decrypt the e-mail each time it is opened.  If you are using IMAP, the e-mail is always encrypted on your mailserver and only decrypted on your local device.

There's 2 types of e-mail encryption available, S/MIME and PGP.  Explanation

PGP involved creating a key-pair on your own PC, your private key is kept for solely for use on your devices where you will be sending and receiving mails.  Never give your private key to anyone.  Your public key can be shared with colleages and/or loaded onto a keyserver such as pgp.mit.edu  You can search for my key (echo59@esforum.org)  People who 'know' each other and verify their key identity (mine is AF7C8C3B) cross-sign each others keys and can upload their signatures to the keyservers so everyone can see who trusts who.  The beauty of PGP is that everything originates on your own PC and the system essentially runs itself.

S/MIME resolves around a certifying authority issuing you with a certificate or key-pair.  Thus the authority verifies who you are.  Most companies will offer a free certificate where only the e-mail address is verified as being real but doesn't verify the name of the person associated with that certificate.  In order to have your name included you need to go through a verification or assurance process.  This usually means meeting 2 or more 'notaries' or 'assurers' and presenting them with 2 forms of official photo id.  If they are happy with the documents they verify your details.  Most unverified certs are valid for either 6 or 12 months.  Verified certificates last 1-2 years before they must be re-issued by the certificate authority.  The benefits of S/MIME is that your are offering assurance that you are who you say you are.  These certs can also be used for digitally signing documents, securing web servers and logging on to sites (OpenSSL).

I've my own S/MIME certificate from an organisation called CACert, which is a free and voluntary service which offers full certification for free.  This also links in with my personal PGP key.  I've also got another PGP key associated with my esforum.org address.  I've set up an unverified S/MIME certificate with a crowd called StartSSL.com using my esforum.org address.  This will only last 1 year though.  If I get verified then my real name goes on the cert but it will last for 2 years.  See the problem???  My PGP keys are set to not expire.

Most desktop e-mail clients can handle both protocols.  Outlook handles S/MIME natively but you need a free plug-in called GPG4WIN to handle PGP.  Other e-mail clients like Thunderbird or Evolution will handle both protocols simultaneously.  The stock iPhone mail app handles S/MIME (I think!)  For Android, the stock Samsung e-mail app handles PGP natively, the Sony app handles S/MIME.  I'm not 100% sure of other phones.  There is a mail app called R2Mail2 that handles both PGP and S/MIME quite well.  Online webmail is a problem though.  Most of the free services (Hotmail, Gmail etc) don't offer encryption.  You can get a plug-in for Gmail that handles PGP but there isn't anything for S/MIME.  The Horde interface offered with the esforum.org e-mail account handles PGP quite well.  It looks like the latest version of Horde does S/MIME also (Admin?????)  However the best thing to do would be to either use your phone/tablet or a desktop app on your PC.

If Admin is agreeable, we could start a thread (possibly in the verified section) where people can publish their PGP keys.  This is probably the best protocol to use as you don't have to give your real-life personal details.  We could cross-certify each other on that level, so for example if Brigade logged in and posted his PGP key I could be assured that it actually came from Brigade, the user on ESF.  I'm not saying that Brigade has identified himself to me as (say) Joe Duffy from Clontarf.  And the reverse would be through.  The signing process is also a method for people to share their keys with each other, so that e-mails can be encrypted and decrypted automatically.  I'd also suggest publishing our cross-signed keys to a keyserver, so that people outside of the verified section could have access to this.

Note:PGP is also known as GPG or OpenPGP.  PGP was initially developed by a guy called Phil Zimmerman and became a commercial outfit.  PGP Inc was bought out by Symantec and is currently owned by them.  GPG is GNU Privacy Guard and is the open-source alternative to PGP.  OpenPGP is the protocol that both the commercial and free products use.

If anyone is interested in this or needs help setting things up, e-mail me at echo59@esforum.org.  Once working, my PGP key is as follows:

Quote:-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQENBFOx3VwBCADkbz4UlTx4oSoAcpMo0c1xHZ+vGeJv/v90oEMxqDoZY3yzri+8
Sk7Mpe1oXZdEylPVvrt407ThbH5Gy2wudy7kQms/QXBylw/ImLBF+s1soAEO3NQp
BBmeEzp8vOUSze7CbAg/YLhRuD9q+VgBWhxuB7o5gNZL1bemzsANj+0p9XPYNLHC
EiiGibPVLi2Ntar5ebMvHA0t9Fpet2DHbEwFUmXGFjlQ4ysdW9FwpsxB4No56bHb
kE/rVMzYoSwA48Anuyx+wv0jzfFOM03ryahI5931NzaYGl8dsmNaOnmDB4tuodXy
ykfIBNFNy8eWL+uVaEAvEQzjGmwObjP36NnLABEBAAG0OmVjaG81OSAoRW1lcmdl
bmN5IFNlcnZpY2VzIEZvcnVtIGtleSkgPGVjaG81OUBlc2ZvcnVtLm9yZz6JATgE
EwECACIFAlOx3VwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBIlhIav
fIw7iWEIALOweoE+OXz0FHAcUZ0ieeC4yGmPx7/QFdee7Neei7Vz8FDkwcuWUaly
y6v/3b2m/lk6eNGIF0Gp2O2Ul65PVhHRDK6VUmjCZAijHwmhcg+ixI9fx6+us8A4
MB3ekdtrbQ+WM4oPXRmKowd3pgeVXipTpYfJ0Ru10WzgK3fwMeKybluh14rfKNgk
3neBiGYgktTFeUrZSThrI25bgCBunhuLXKEMtFwiXrtY9cIA3CKYYchu1oWd4IxW
QGGakBnFq7SHPoLqO8ekj+mMFOTma68TGmDe7UlbQ4zf12f7k61GZsr5pn+R345W
E9MIIj1h+LPklhk4Nk56frrrD0kjwgG5AQ0EU7HdXAEIALu9wPJlkmUssnRYHvzq
es8TLrZPb4yFxIabmOG/lLfe9DVnbyXRggPj9yDTv45j3XR4lN6ZYpSvvxD89A6p
L2iBvi3uj+MCknnqYp/CKb8OkBq3HW6Wt2uufeoVEfPFVRkzMgG8cMmmEkDsNnhE
yzb3mM9rK0mhTOx3vvXQPcHeGsmlkhszS5J+4JH4PdKMP4jCjkMmyyNnX47XjWou
xXJbdnX3E0bhokfd1NdIHZxtidF+t4bEUMedJLhdQ0MxK9Tw5Y5vCtYRG1mG9/p5
ac20ah57K7WPD9vrStmIiTIcxiaTAea+WEV6za0Zh2wV17GeIGt7yFSqliZFGy3+
xkcAEQEAAYkBHwQYAQIACQUCU7HdXAIbDAAKCRASJYSGr3yMO5voB/4j2j/zvFk3
0oab+dvkkEy8z6TSoc40mMxCuM6/SpuHEXb+mbFLEBEjj0Q2HFYxUZmzzTl6YD/f
8w6vYbgxkOEr4dHEdbikCRG+Ch8Ki1dEblMkDzlL8n9Pa0sDS0gTsGaaNfgu1EeF
TC3ALlB2t74TqoWKJND6n6/fI7XMLqBl1e8Tudc6KhE6vibFF5fVYI0AfRqAWG14
Kmrm9wqklW0MmkSeHCsbO02IdjyjMgWQJOOZ1m+DwqwsmhmoQ5qXeJXdQgMFLDge
W4njbZ0rTiln//b6M6+wvtc6aDge+xznSvx1LrzjQII4VP+ERYsKnDFjVsiMiZf9
32dNImRlY2Nv
=Olga
-----END PGP PUBLIC KEY BLOCK-----
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#2
I couldn't get my ESF email to work 04
Volunteers Are Unpaid , Not Because They Are Worthless. But Because They  Are Priceless !!!
Reply
#3
Never worked for me either. Admin sorted me out a few weeks ago. Even outside of the site email, you should be able to encrypt your mail.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#4
I wonder does it work though? I'd say with the amount of intelligence agencies out there and their ability to capture data, I wonder us it a waste of time encrypting emails.
Reply
#5
I think with any electronic comms, if you don't want it intercepted you need to look for non electronic alternatives.
Reply
#6
It really depends on what you do be sending at the end of the day
Volunteers Are Unpaid , Not Because They Are Worthless. But Because They  Are Priceless !!!
Reply
#7
I think it does in actual fact work. Particularly OpenPGP. Because the software is open-source that means that all the source code is available for anyone with the skill and interest to inspect. If there was any hint of a backdoor or if part of the software didn't give a watertight process then someone would have flagged this and the reputation of the company would be in shatters. This is in contrast to encryption system from the big companies like Microsoft or Symantec where you can never be too sure. Link.

Even with the S/MIME process the certificate hash is actually made by your web browser, so they don't store it. If you lose your PC and don't have a back-up of your certificate, then everything is lost. Even when your certificate expires and you get a new one, you need to keep all your old certificates otherwise you won't be able to open archived e-mails. They can revoke your certificate though.

The OpenPGP Wikipedia page is reassuring. The good thing about the PGP system is that nobody else has your private key, unless you let them have it. And even then it is passphrase-protected so if you passphrase (or word...) is any way strong it should take a number of years to decrypt a message.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#8
[URL] http://www.independent.co.uk/life-style/...73035.html [/URL]
British government threatening to impinge on our right to privacy. Or being blatant about it at least.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#9
TechCentral.ie

Looks like Yahoo is working on an OpenGPG plug-in that will bring e-mail encryption to their Yahoo accounts.  You can also get a plugin for GMail but they don't integrate 100% so I'm not 100% how good the new Yahoo plugin will be.

Options are Mailvelope which works with both Chrome and Firefox and will work with all the major webmail services (GMail, Hotmail/Outlook, Yahoo, etc) and can be configured for other webmail services.  Also GMail-Crypt works with GMail on Chrome only but seems to be fairly neat.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#10
Interesting service here: ProtonMail

They offer a secure e-mail service and are constantly expanding their service.  Being based in Switzerland they take your privacy seriously so there won't be any US DOJ -v- MS Hotmail/Outlook case.  Seems like the best route to take for people that don't want the hassle of managing encryption keys and getting their correspondents to do the same.

It appears that they can (or will soon) be able to send a one-time encrypted message to someone who isn't a ProtonMail user.  Also iPhone and Android apps are coming soon...

[Image: security.png]
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#11
I dabbled with openPGP and tails with virtualbox a while ago and to be honest I found it very complicated and difficult to learn. I'm fairly tech savy, no programmer or anything but openPGP would be far beyond the necessity of your average computer user, even a good one. 
Reply
#12
(06-04-2015, 11:02 AM)sprinter22 Wrote: I dabbled with openPGP and tails with virtualbox a while ago and to be honest I found it very complicated and difficult to learn. I'm fairly tech savy, no programmer or anything but openPGP would be far beyond the necessity of your average computer user, even a good one. 
In fairness, things have improved in the last few years.  Like you, I'd dabbled in the past and gotten nowhere.  If you use Outlook, the GPG4Win plugin actually works now.  Even better is the e-mail client called Thunderbird (same makers as Firefox web browser) and the Enigmail plugin.  The only problem is setting it up, once in place it should work fairly seamlessly.

The browser plugins you can get for GMail and Hotmail etc are even easier to set up.  But they do take a bit more work to manage your keyring and they're fine for your personal computer but it is not a solution if you are using a public PC.

I think that even the average computer user should be encrypting their e-mails.  E-mail is sent in clear text so that anyone who is interested can see exactly what is written.  Certainly if you are sending work-related stuff to or from a personal account it should be encrypted.  Ever send personal or financial information?  With work, if I'm every sending anything home to work on I encrypt it.  Whole load of bad-ass grief it any of that ever went astray...

@Sprinter22, if you want to give it another go we could trial it.  I'm set up for PGP on my e-mail below so if you wanted to try it with sprinter22@gmail.com or something it should work out fine.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#13
I like thunderbird. Very user friendly
Often the sheep do not like the sheepdog,  until the wolf comes.  Then the sheep try to hide behind the sheepdog, begging for his protection.
Reply
#14
(06-04-2015, 02:18 PM)ERU Wrote: I like thunderbird. Very user  friendly
Yup.  And also very versatile.  It has come on in leaps in the last few years too.

Supposedly, I can't access my work e-mail in a client such as Outlook outside of the hospital network.  However, I can with Thunderbird and a utility called DavMail.  Pretends to be accessing my mail via the webmail interface (which we are allowed use off-site).  I can do nearly everything from home now, including copying an e-mail directly from my own account to work directly (without doing it as a forward) so it appears to my OCD nature.  Sweet!
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#15
lads if i have an office 365 email given to me can i use thunderbird to encrypt that as I dont think the office one has any encryption on it ?
Volunteers Are Unpaid , Not Because They Are Worthless. But Because They  Are Priceless !!!
Reply
#16
(06-04-2015, 03:14 PM)amboman bobby Wrote: lads if i have an office 365 email given to me can i use thunderbird to encrypt that as I dont think the office one has any encryption on it ?
It depends.......

A lot depends on the type of Office 365 and where the mail service is hosted.  How do you check your e-mail currently?  Is it a webmail interface or do you start up Outlook?

If you use the Outlook application then you can continue to use that and you can install GPG4Win on your PC.  Sometimes the builtin plugin (GpgOL) doesn't work but there are at least 2 different types of GPG plug-ins that work, depending on the version of Outlook you have.  For Outlook 2013 it is Outlook Privacy Plugin.

You can easily switch over to using Thunderbird to check your e-mail if you mail host lets you connect to the server by either POP or IMAP protocols.  If your email service uses the Exchange protocol then you will most likely need to run DavMail and have some extra plug-ins in Thunderbird to make it work.  If you were to set up your e-mail on your phone, what protocol would you use to connect?  Often you can tell this by the server name, or the settings you use on your phone.  That will tell you how/if Thunderbird can connect.

Also, if you only have webmail access to your e-mail then you can use Mailvelope to manage your encryption.  However this only works on the one particular browser and the one particular PC you've it set up on, so can be a lot of hassle if you move around.

Sorry my answer isn't very clear.  There are just so many variables that it is impossible to give a straight answer without knowing the answer to some of these questions.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#17
Il dig around and get back to you
Volunteers Are Unpaid , Not Because They Are Worthless. But Because They  Are Priceless !!!
Reply
#18
Anyone sending work emails to a personal email should also note it is nearly surely against some policy somewhere, encrypted or not. 

Certainly a good (great even) idea to encrypt mails if you are doing it. Just remember to encrypt stuff on your personal computer aswell when at rest, not just in the email transit. 

Be interested to know how that ProtonMail crowd intend sending one time encrypted emails to users not set up. Email is plain text communication, not designed to be secure, so bashing secure elements on top causes all type of issue.
Reply
#19
(06-04-2015, 04:13 PM)amboman bobby Wrote: Il dig around and get back to you
No bother...

(06-04-2015, 05:01 PM)wex-eire Wrote: Anyone sending work emails to a personal email should also note it is nearly surely against some policy somewhere, encrypted or not. 

Certainly a good (great even) idea to encrypt mails if you are doing it. Just remember to encrypt stuff on your personal computer aswell when at rest, not just in the email transit. 

Be interested to know how that ProtonMail crowd intend sending one time encrypted emails to users not set up. Email is plain text communication, not designed to be secure, so bashing secure elements on top causes all type of issue.
In general (with the HSE anyway) it is against policy to send information outside of the hse.ie domain unencrypted.  Once it is going to the "intended recipient" in an appropriate manner and will be stored as per the policy then that is OK.

From my reading ProtonMail intend to send the external encrypted messages similar to Cisco IronPort. If a message is sent to the IronPort server it is encrypted and sent as an attached file to the recipient.  It arrives in their mailbox and when they click on the attachment the message container opens in their web browser.  They have to enter the password in order to read the message.  You must get the password to them by alternative means, or use an agreed password each time.  ProtonMail should do something similar, I think.

Because people have tasks that they must complete, they are always going to be sending stuff by e-mail.  Whether it's credit card details for a purchase that can't be done online or something, people send information that they "shouldn't".  But it does need to be encrypted and it needs to be stored securely at the other end also.
Email: echo59@esforum.org            PGP key: AF7C8C3B
Reply
#20
Okay so I was tech security savy turns out I'm not :/
Volunteers Are Unpaid , Not Because They Are Worthless. But Because They  Are Priceless !!!
Reply